Safeguarding PHI as a Business Asset

Former OCR Official Offers HIPAA Compliance Insights
Safeguarding PHI as a Business Asset
David Holtzman
Healthcare providers and their business associates need to take steps to protect patient data as they would defend any other significant business asset, says David Holtzman, a former senior official at the agency that enforces HIPAA.

"Health information really has to be viewed as an asset of the business, and it should be safeguarded like any other business asset," Holtzman says. He recently joined the security consulting firm CynergisTek after spending eight years as a HIPAA and HITECH Act policy adviser at the Department of Health and Human Services' Office for Civil Rights.

"Covered entities, regardless of where they are in the healthcare industry, and their vendors, should step back and take a broad view to understand what the requirements of the HIPAA privacy and security rules are ... and then take a realistic but broad view to identify the threats and vulnerabilities to the confidentiality, the integrity and availability of the health information that they are creating, holding, or are entrusted with by patients," Holtzman says in the first part a two-part interview with Information Security Media Group.

He offers an example: "If you are a cloud services vendor, you should take a look at the threats to the health information, particularly if you rely on subcontractors to hold the data for you," he says, and then you should take appropriate measures to mitigate those threats.

Business Associates

Holtzman stresses that although the HIPAA Omnibus Rule didn't change the relationship between covered entities and their business associates, "it expanded the jurisdiction of the direct liability of the [HIPAA] security rule onto the vendors and subcontractors.

"It's very important for covered entities to understand that they need to have business associate agreements in place with anybody they hire to perform a service or contract with for some activity [related to protected health information.] If you have a vendor that says 'I am not a business associate' or 'I won't sign a business associate agreement,' then that should be a sign to the healthcare provider that they need to find a vendor who will offer a business associate agreement."

In the interview, Holtzman also discusses:

  • The importance of encryption in breach prevention, especially in light of breach notification changes under the HIPAA Omnibus Rule;
  • Other important steps that covered entities and business associates should take for HIPAA compliance;
  • Mistakes to avoid in HIPAA Omnibus compliance, such as not providing patients access to their electronic health information.

In part-two of the interview, which will be available soon, Holtzman discusses HIPAA enforcement activities and how to prepare for investigations and audits.

Holtzman joined CynergisTek in November as vice president of privacy and security compliance services. Previously, the was a senior adviser at the HHS Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. While at OCR, Holtzman also served as subject matter expert to other federal agencies in the planning, execution and resolution of complex investigations involving reviews of organizations' compliance with the HITECH Act and the HIPAA privacy and security rules. Before joining OCR, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.